If you discover a security vulnerability, please report it privately by emailing [[email protected]] or opening a GitHub Security Advisory. We will respond as quickly as possible and keep your identity confidential.

We support the latest major version of the project. Older versions may not receive security updates.

We use automated tools to monitor for vulnerabilities in our Go dependencies. Our policies include:

• All dependencies are managed using Go modules.
• We scan dependencies using govulncheck (official Go tool) during CI runs.
• Dependencies with critical or high vulnerabilities must be updated or replaced before merging changes.

• Only use actively maintained and well-reviewed third-party packages.
• Run go mod tidy before submitting PRs to ensure module integrity.
• Run govulncheck ./... locally to check for known vulnerabilities.